Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
6
Replies

securing exchange behing router/ios firewall

kenneth.fernandes
Level 1
Level 1

‎10-30-2003 10:17 AM - edited ‎03-09-2019 05:20 AM

Here's my scenario:

Going to install single exchange server behind a cisco router/ios firewall. Would like to be able to use OWA(outlook web access). Trying to do this as secure as possible. Do not want to put the server out on the DMZ as it belongs to the domain and do not want to put it on the internal network with holes punched in the firewall. Can't afford another server to put out on the DMZ as an SMTP gateway or to run ISA. MS has recommended that the best way to do this is with 2 nics installed in the exchange server. The external connected to the DMZ and the internal connected to the internal network. Then Co-locate both ISA and Exchange on the same server and create server publishing rules to allow the exchange server to be published to the internet via the external nic. ISA would then intercept incoming mail and connections to OWA on the external nic, filter the traffic and forward it on to the internal nic. I really do not want to use ISA though. Could I accomplish the same with the router/ios firewall or should I use ISA as an extra layer of security???

Thanks in advance,

Ken

Labels:
0 Helpful
6 Replies 6

mostiguy
Level 6
Level 6

‎10-30-2003 11:07 AM

ISA does add some additional security features/options, but you can live with out it. Enforce SSL only, only open port 443 for the exchange box for https, and keep up to date with patches, and you should be fine.

0 Helpful

bfl1
Level 1
Level 1

‎10-30-2003 01:05 PM

The only way to even do this somewhat secure is to use frontend server/backend server technology. The server in the DMZ is what the users connect to, in return, this server connects to the internal exchange server. Why can't you put the server in the DMZ? Because it belongs to the domain? Why is this a limiting factor?

0 Helpful

kenneth.fernandes
Level 1
Level 1
In response to bfl1

‎10-30-2003 02:38 PM

MS has recommended the server NOT be put in the DMZ and be installed on the internal lan

0 Helpful

bfl1
Level 1
Level 1
In response to kenneth.fernandes

‎10-30-2003 05:29 PM

Agree with MS 100%. If this is an Exchange server that holds your information store, then keep in internal. The only true secure way of doing this is to purchase the server you can't afford and make it a frontend server, put it in the DMZ, open port 443 to this server... the frontend will perform all the communications with the exchange server running the information store. If this is not a possibility, then here are a couple options:

1) Open port 443 to the internal Exchange server

2) Use Identity certificates for all your clients that connect.

3) Keep your server patched.

4) Inform management of risks and get their buy off.

0 Helpful

lwierenga
Level 1
Level 1
In response to bfl1

‎10-30-2003 10:56 PM

I have to agree with bfl1. Don't put it in the dmz, bad idea based on exploits per week brought to you by MS. You should put a ISA server in the DMZ that allows connections to the internal Exchange server, and keep both patched.

0 Helpful

anup_bekal
Level 1
Level 1

‎10-31-2003 03:33 AM

Hi

Since you cannot afford to have another server and do not want to put the exchange server inside the network, you can go ahead with the exchange server in the DMZ of a PIX Firewall. Exchange Server in DMZ can join the same Windows NT/2000 domain of your internal network without any problem.

Also it is recommended that any server that needs to be accessed from Internet to be kept on DMZ than in the inside network.

If you have already purchased the ISA Server you can install it in the Proxy mode(NOT in Firewall mode) and place it in the DMZ. Internal users will access the Internet through ISA & you can have logs of Internet activity using ISA.

Regards

Anoop Kumar Narayanan

NICBM Kuwait

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents